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ABSTRACT 

To  make  complex  military  equipment  satisfactorily  reliable,  present 
specifications  are  totally  inadequate  It  is  imperative  that  generous 
safety  margins  between  “stresses”  and  “strengths”  be  specified,  applied, 
and  controlled  by  the  contracting  agencies. 

A  Reliability  $bdc,  consisting  of  21  paragraphs,  is  formulated  tc 
supplement  and  override,  existing  specifications,  y- 

This  study  is  an  expanded  version  of  an  earlier  paper  “Reliability 
Specifications  for  Guided  Missiles,”  by  the  same  author. 
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INTRODUCTION 

There  is  a  widespread  belief  that  reliability 
requirements  are  very  much  the  same  for 
guided  missiles  as  for  piloted  aircraft,  because 
“both  are  airborne.”  This  is  a  dangerous  mis¬ 
take.  Both  are  airborne,  true,  and  both  are 
complex.  But  they  differ  in  one  significant 
respect:  the  "vital”  complexity,  which  is  not  indi¬ 
cated  by  the  number  of  all  components,  but 
by  the  number  of  vital  components  —  those 
that  by  their  failure  will  cause  the  total  loss  of 
the  missile  or  the  aircraft. 

In  commercial  piloted  aircraft,  only  a  few 
dozen  components,  most  of  them  structural, 
are  really  vital  in  the  sense  that  failure  of  any 
one  of  them  will  cause  a  total  loss.  Thousands 
of  other  components,  particularly  the  electronic 
components,  are  not  vital.  They  may  fail,  and 
they  do  fail,  without  any  catastrophic  conse¬ 
quences  because  the  pilot  can  do  without  them 
n  nd  bring  the  aircraft  safely  home  for  inspec- 
i:on  and  repair. 

in  guided  missiles,  on  the  other  hand,  all 
components,  including  electronic  components,  are 
vital  since  any  one  of  them,  if  it  fails,  will  in¬ 
variably  cause  the  missile  to  miss  its  target. 
A  missile  once  fired  cannot  be  recovered,  re¬ 
paired,  and  re-used  like  a  piloted  aircraft.  If  it 
does  not  hit  its  target,  the  loss  is  complete — 
both  in  taxpayers’  dollars  and  in  potential 
military  consequences. 

If  we  compare  the  number  of  vital  compo¬ 
nents  of  a  piloted  aircraft  and  a  missile,  we 
realize  why  piloted  aircraft  are  orders  of  magnitude, 
perhaps  a  thousand  times,  more  reliable  than  guided 
missiles.  Obviously,  as  far  as  the  achievement  of  relia¬ 
bility  is  concerned,  guided  missiles  and  piloted  air¬ 
craft  belong  in  entirely  different  categories. 

Since  World  War  II,  the  “vital”  complexity 
of  non-missile  equipment  such  as  radar,  com¬ 
mercial  piloted  aircraft,  and  computers  has 
steadily  increased.  Yet,  apparently,  these  cate¬ 
gories  of  equipment  continue  to  be  satisfactorily 
reliable.  If  this  were  not  so,  no  one  would  dare 
board  an  airliner,  and  no  computer  would  be 
of  any  use. 


This  rather  favorable  situation  is  illustrated 
by  the  lower  curve  in  Figure  1  representing 
the  growth  of  “vital”  complexity  in  non-missile 
equipment  since  1935.  The  growth  has  been 
slow,  hence  the  increase  in  component  relia¬ 
bility  has  kept  pace  with  it. 

Now  compare  that  line  with  the  breath¬ 
taking  climb  of  the  upper  curve  in  the  diagram. 
This  curve  represents  the  growth  in  complexity 
of  non-recoverable  equipment:  ammunition, 
bombs,  mines,  torpedoes,  missiles,  guided  mis¬ 
siles  and  unmanned  satellites.  Here  complexity 
is  rapidly  outgrowing  the  state  of  the  art  of 
making  components  reliable.  Thus,  an  ever- 
increasing  deficit  is  created  between  the  relia¬ 
bility  level  of  ordinary  components  and  the 
level  required  to  attain  an  acceptable  overall 
reliability. 


Fig.  1 .  Trend  of  Complexify  of  Recoverable  and 
Non-recoverable  Equipment  Indicated  by 
the  Number  of  Vital  Components 

Unfortunately,  as  new  performance  require¬ 
ments  accelerate  this  upward  trend  of  com¬ 
plexity,  the  deficit  increases  year  by  year,  with 
the  end  nowhere  in  sight. 

Obviously,  if  we  want  to  make  complex  mili¬ 
tary  equipment  satisfactorily  reliable,  this 
d.  igerous  trend  must  be  stopped,  and  even 
reversed.  How  this  may  be  accomplished  is  the 
subject  of  this  study. 


PART  I 

THREE  CATEGORIES  OF  RISK 

There  are  many  fallacious  concepts  of  qual¬ 
ity  and  reliability  which  contribute  to  the 
unreliability  of  complex  equipment.  One  by 
one  they  lose  ground.  One  of  these  concepts, 
however,  is  still  deeply  entrenched  in  the 
routines  of  design,  manufacture,  and  pro¬ 
curement:  that  components  which  comply 
with  standard  specifications  may  safely  be  em¬ 
ployed  in  all  kinds  of  equipment,  be  they 
simple  or  complex,  inexpensive  or  costly,  harm¬ 
less  or  fraught  with  heavy  risks. 

This  fallacious  concept  completely  ignores 
the  consequences  of  failure.  If  consequences  are 
harmless,  unreliability  poses  little  or  no  prob¬ 
lem.  However,  if  they  are  serious,  or  very 
serious,  the  achievement  of  reliability  may  be¬ 
come  the  overriding  problem  of  design,  man¬ 
ufacture,  maintenance,  and  operation. 

Degrees  of  risk  caused  by  unreliability  vary 
tremendously,  ranging  from  no  risk  at  all,  as 
in  home  radios,  to  extremes  of  risk,  as  in  atomic 
bombs  and  spaceships.  Obviously,  components 
of  a  spaceship  must  be  made  much  more  reli¬ 
able  than  those  of  a  home  radio. 

How  much  more  reliable?  Ten,  or  a  hun¬ 
dred,  or  a  thousand  times?  This  question  can¬ 
not  be  answered  conclusively  because  actual 
figures  depend  on  individual  cases.  But,  to 
permit  at  least  a  rough  appraisal  of  the  re¬ 
quired  reliability  effort,  the  following  three 
classes  of  equipment  may  be  established: 

(a)  Low-Risk  Equipment:  That  which  in  the 
event  of  failure  can  always  be  repaired  and 
put  to  work  again.  Examples:  home  appliances 
and  office  machines.  For  such  equipment,  com¬ 
mercial  standards  of  quality  may  be  stringent 
enough  to  achieve  and  control  quality  and 
reliability. 

(b)  High-Risk  Equipment:  A  very  costly  equip¬ 
ment  which,  in  the  event  of  failure  of  any  one 
of  its  components,  is  irretrievably  lost.  Guided 
missiles  are  characteristic  for  this  class.  To 
make  a  high-risk  equipment  reasonably  reli¬ 
able,  its  components  must  be  made  perhaps 


two  orders  of  magnitude  (or  a  hundred  times) 
more  reliable  than  components  for  commercial 
use. 

(c)  Ultrahigh-Risk  Equipment:  That  which,  in 
the  event  of  failure,  will  result  not  only  in  huge 
material  losses,  but  also  in  ioss  of  life,  and  per¬ 
haps  national  prestige.  Example:  A  manned 
spaceship.  Components  to  be  employed  in 
ultrahigh-risk  equipment  must  be  made  per¬ 
haps  four  orders  of  magnitude  (or  ten  thousand 
times)  more  reliable  than  commercial  com¬ 
ponents. 

By  now  it  is  widely  appreciated  that  the 
overall  reliability  of  a  weapon  system  can  be 
improved  by  increasing  the  reliability  of  its 
components.  However,  by  establishing  the 
above  three  classes  of  equipment  risk  we  are 
forewarned  to  think  of  component  improve¬ 
ments  not  by  factors  of  two,  three,  or  five,  but 
by  orders  of  magnitude.  This,  in  turn,  means  that 
we  must  strive  for  an  absolute  degree  of  com¬ 
ponent  reliability,  and  nothing  less. 

How  can  absolute  component  reliability  be 
achieved?  Many  different  efforts  may  be 
directed  to  this  end.  One  of  the  most  powerful 
of  these  is  that  of  specifying  generous  safety 
margins  between  stresses  and  strengths. 

It  is  a  strange  phenomenon  that  writers  of 
military  specifications  thus  far  have  failed  to 
adopt  the  principle  of  safety  margins.  It  there¬ 
fore  appears  necessary  that  the  intricate  prob¬ 
lem  of  specification  writing  be  discussed  first. 

PART  II 

PRINCIPLES  OF  RELIABILITY 
SPECIFICATIONS 

1 .  The  Evolutionary  Approach 

It  is  argued  that  the  overall  reliability  of  a 
piece  of  equipment  may  best  be  raised  by 
routinely  revising  and  improving  existing 
specifications. 

Let  us  examine  this  argument  carefully. 
Most  specifications  are  the  result  of  decades  of 
cumbersome  and  costly  trial  and  error.  We 
call  this  advancement  of  the  state  of  art  by  evolution. 
For  example,  we  know  that  at  least  two  piston 
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rings  are  required  to  seal  and  lubricate  the 
pistons  of  a  reciprocating  engine.  We  know  the 
most  suitable  material,  the  proper  tolerances, 
and  the  most  effective  method  of  manufacture. 
We  know  also  that  we  may  expect  a  certain 
wear-out  life,  say  2,000  hours. 

In  a  mature  state  of  art  such  as  this,  con¬ 
tracting  agencies  can  write  clear-cut  specifica¬ 
tions  for  competitive  bidding,  design,  produc¬ 
tion,  quality  control,  and  acceptance  inspection. 
The  contractor  knows  exactly  what  is  required. 
By  strictly  adhering  to  these  specifications  he 
may  achieve  the  specified  quality,  and  even 
exceed  it. 

Not  so  with  the  components  of  complex 
military  equipment,  such  as  guided  missiles, 
Their  environmental  conditions  are  often  ex¬ 
tremely  severe  and  also  little  known.  Hence 
their  state  of  the  art  is  far  less  mature  and 
their  reliability  much  lower. 

But  even  if  all  conditions  were  perfectly 
known,  and  properly  taken  care  of,  present 
specifications  still  would  be  inadequate  for 
achieving  a  satisfactory  degree  of  overall  re¬ 
liability  for  the  following  reason:  The  overall 
reliability  of  a  piece  of  complex  equipment 
does  not  equal  the  average  reliability  of  its 
components,  as  many  still  may  think;  it  equals 
the  product  of  them,  as  indicated  by  the  relia¬ 
bility  formula: 

^overall  —  Pi  '  P2  '  Pa  *  *  *  Pn 

According  to  this  formula,  to  make  a  complex 
equipment  reasonably  reliable,  its  components 
must  be  made  more  reliable  in  proportion  to  the 
“vital”  complexity.  (A  component  is  vital  if  its 
failure  causes  the  loss  of  the  whole  equipment, 
and/or  the  death  of  a  crew.)  The  vital  com¬ 
plexity  of  a  missile  system,  for  example,  may 
be  a  hundred  times  or  a  thousand  times  higher 
than  the  vital  complexity  of  a  commercial 
piloted  aircraft.  Hence,  missile  components 
must  be  made  a  hundred  times  or  a  thousand 
times  more  reliable  than  their  commercial 
counterparts. 

Present  specifications  neglect  this  fact  en¬ 
tirely,  just  as  they  neglect  the  reliability  for¬ 


mula.  They  demand  only  “quality”  which, 
however,  is  a  property  independent  of  complexity. 
Small  wonder  then,  that  designers  often  work 
in  the  dark,  torn  by  conflicting  concepts  of 
quality  and  reliability. 

This  is  a  serious  handicap.  Ammunition, 
mines,  torpedoes,  and  missiles  cannot  be  better 
than  the  specifications  for  their  design  and 
manufacture.  Specifications  should,  therefore, 
be  kept  abreast  or,  if  possible,  ahead  of  the 
state  of  the  ait.  Actually,  they  are  lagging 
most  of  the  time,  thereby  freezing  the  state  of 
art  at  levels  of  reliability  attained  years  ago. 
Attempts  to  tighten  up  the  specifications  are 
often  opposed  by  persons  and  agencies  who 
are  responsible  for  speedy  and  economical 
production.  But,  speed  and  economy  of  pro¬ 
duction  are  archenemies  of  reliability.  There¬ 
fore  the  progress  in  overall  reliability,  based 
on  the  evolution  of  ordinary  specifications,  is 
very  slow. 

There  is  another  reason  why  the  evolu¬ 
tionary  approach  in  specification  writing  is 
utterly  inadequate:  The  number  of  specifica¬ 
tion  paragraphs  that  must  be  considered  in 
the  development  and  manufacture  of  guided 
missiles  and  their  components  is  staggering; 
they  cover  more  than  75,000  printed  pages! 
To  even  read  them  may  take  years.  To  revise 
them  with  the  intent  to  improve  reliability 
may  take  a  generation.  Meanwhile,  the  com¬ 
plexity  of  military  equipment  may  continue  to 
climb  far  beyond  any  increase  in  component 
reiiabiiiiy  that  evolution  can  accomplish. 

This  does  not  imply  that  existing  specifica¬ 
tions  are  useless  and  should  be  discarded.  They 
represent  the  state  of  art  and  should,  there¬ 
fore,  always  be  consulted.  At  the  same  time, 
however,  they  should  be  mistrusted,  because 
they-  were  written  for  achieving  the  moderate 
degree  of  reliability  required  for  commercial 
components,  and  by  no  means  for  achieving 
the  “absolute”  degree  of  component  reliability 
required  in  highly  complex  military  equipment. 

2.  The  Revolutionary  Approach 

The  question  arises:  Will  we  ever  be  able  lo 
establish  an  adequate  state  of  art  for  all  of  the 
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thousands  of  component  types  employed  in 
complex  military  equipment?  The  answer  is 
yes.  However,  this  can  be  brought  about  only 
by  a  revolution  in  specification  writing.  A  radi¬ 
cally  new  approach  must  be  sought,  based  on 
those  factors  which  actually  govern  reliability, 
namely: 

a.  The  actual  maximum  environmental  con¬ 
ditions  occurring  in  service. 

b.  The  actual  mechanics  of  failure. 

c.  The  actual  ultimate  strength  with  regard 
to  each  mechanics  of  failure. 

d.  The  actual  variation  of  strength. 

e.  The  actual  safety  margin  between  aver¬ 
age  strength  and  environmental  condition. 

The  writing  of  such  reliability  specifications 
supplementing  and  overriding  conventional 
specifications  is  imperative.  To  these  we  turn 
now. 

PART  III 

RELIABILITY  TjHROJJGH  SAFETY  FACTORS 
AND  SAFETY  MARGINS 

1 .  The  Principle  of  Safety  Factors 

To  provide  a  safeguard  against  unpredict¬ 
able  stress  levels  that  may  cause  failures,  it  is 
common  practice  to  specify  minimum  safety 
factors  between  the  ultimate  strength  of  a 
component  type  and  the  maximum  stress  to 
which  it  may  be  exposed  in  service. 

Exceptionally  high  safety  factors  are  speci¬ 
fied  whenever  human  life  is  at  stake,  as  in  the 
structural  designs  of  buildings,  bridges,  eleva¬ 
tors,  and  aircraft.  The  minimum  safety  factors 
specified  in  the  design  of  structures  are  shown 
in  the  excerpt  from  Machinery’s  Handbook, 
Figure  2. 

The  reader  will  note  that  the  factor  of  ignorance 
should  occasionally  be  given  as  high  as  10! 

In  much  the  same  manner,  nature  has  en¬ 
dowed  living  organisms  with  amazingly  high 
safety  factors.  Our  heart  can  pump  ten  times 
the  normal  rate  of  blood  flow;  our  lungs  can 
exchange  ten  to  twelve  times  the  normal  vol¬ 
ume  of  air;  our  bones  break  at  loads  ten  to 
twenty  times  the  static  loads. 


Total  Safety  Factor  F  =  a  •  b  •  c  •  d 

a  —  the  ratio  of  ultimate  strength  to  elastic  limit 
(between  1.5  and  2). 

b  —  depends  on  character  of  stress;  1  for  a  dead  load; 

2  for  a  load  varying  between  zero  and  maximum; 

3  for  a  load  alternating  between  negative  and 
positive. 

c  —  depends  on  the  manner  in  which  loads  are  applied; 
1  for  load  gradually  applied;  2  for  load  suddenly 
applied;  3  and  more  for  impact  loads. 

d  —  the  factor  of  ignorance.  Whereas  the  other  factors 
provide  against  known  conditions,  this  provides 
against  the  unknown.  It  varies  between  1.5  and  3, 
it  should  occasionally  be  given  as  high  a  value  as  10. 

Example  of  a  Piston  Rod:  F  =  2  •  3  •  2  •  1.5  =  18 

Fig.  2.  Specified  Minimum  Safety  Factors  in 
the  Design  of  Structures  and  Machinery 

Such  generous  safety  factors  have  helped 
make  structures  and  machines  absolutely  re¬ 
liable,  not  just  in  their  components  but  as 
whole  complex  systems.  Example:  The  com¬ 
plex  airframes  of  aircraft  to  which,  without 
hesitation,  we  trust  our  lives. 

It  thus  appears  a  matter  of  course  that  in 
guided  missiles,  too,  generous  safety  factors 
should  be  specified  and  applied.  Unfortunately, 
in  some  quarters  the  principle  of  safety  factors 
is  not  appreciated.  It  is  argued  that  generous 
safety  factors  would  so  encumber  airborne 
equipment  as  to  ruin  its  performance;  that 
components  which  comply  with  conventional 
specifications  are  good  enough  to  “assure” 
reliability;  that  there  is  no  need  to  determine 
safety  factors  by  tests  to  failure;  and  that  the 
principle  of  safety  factors  is  “nebulous  any¬ 
way.”  It  will  be  shown  later  in  this  study  that 
these  arguments,  except  for  the  first  one,  are 
invalid. 

In  rare  instances,  a  safety  factor  of  1.5  is 
specified.  It  has  been  adopted  from  specifica¬ 
tions  for  structures.  However,  this  low  safety 
factor  takes  care  of  only  the  known  strength 
variation  of  the  basic  materials ,  and  not  of  the 
many  additional  uncertainties  and  contingen¬ 
cies  which  plague  the  components  of  complex 
military  equipment.  Therefore,  it  is  not  nearly 
high  enough  to  achieve  the  required  degree  of 
absolute  component  reliability. 
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Fig.  3.  Two  Types  of  CompononH  Exhibiting 
Different  Vorlaliem  of  Ultimata  Strengths 


There  is  another  serious  shortcoming  of 
present  specifications.  To  prove  that  safety 
factors  are  as  specified,  samples  must  be  tested 
to  failure  with  regard  to  any  critical  design 
characteristic,  including  wear-out  life.  How¬ 
ever,  present  specifications  rarely  require  tests 
to  failure,  only  tests  up  to  specified  limits.  Many 
of  these  limits  were  conceived  years  ago,  by 
people  who  were  in.no  position  to  know  the 
extreme  environmental  conditions  and  the  ex¬ 
treme  reliability  requirements  of  modern  mili¬ 
tary  equipment.  Hence,  most  of  the  limits  have 
become  unrealistic  and  misleading. 

Moreover,  since  failure  tests  are  not  required, 
component  designers  are  not  compelled  to  de¬ 
termine  the  inherent  weaknesses  of  their  crea¬ 
tions,  their  ultimate  strength  values,  and  their 
safety  factors.  As  a  result,  systems  designers, 
employing  the  components  in  their  systems, 
may  never  know  whether  they  are  highly  re¬ 
liable,  marginal,  or  downright  unreliable, 

Considering  the  striking  benefits  derived 
from  generous  safety  factors,  one  might  wish 
that  the  presently  specified  low  safely  facto) 
of  1.5  be  raised  drastically,  say  to  four  or  five. 
This,  however,  cannot  be  recommended  be¬ 
cause  it  would,  indeed,  so  encumber  airborne 
equipment  as  to  ruin  its  performance. 

2.  Th«  Principle  of  Safety  Margin* 

It  would  be  ideal  to  have  specifications  which 
would  increase  both  reliability  and  perform¬ 
ance.  Vv'e  may  attain  this  goal  by  replacing  the 
principle  of  rigidly  specified  safety  factors  by  the 
more  sophisticated  yet  much  more  effective 
principle  of  safely  margins.  It  takes  care  of  the 
fact  that  unreliability  is  caused  not  only  by  lorn 
averages  but  also  by  large  variations  of  strength. 

Variations  may  be  large  or  small,  as  illu¬ 
strated  in  Figure  3,  Although  components  A 
and  B  have  the  same  average  strength,  com¬ 
ponent  B  evidently  is  far  less  reliable  than 
component  A.  It  is,  therefore,  imperative  that 
the  characteristic  variation  of  sti esses  and 
strengths  be  determined  also,  by  testing  small 
but  sufficient  samples  to  failure.  The  result  of 
such  a  tcsl-to-failure  program  is  illustrated  in 
Figure  4. 


Fig.  4.  Scatttrbandi  of  Stroirei  and  Strength; 

The  reader  will  note  ihat  component  No.  8 
is  weaker  than  the  stress  to  which  it  will  be 
subjected,  and  that  therefore  missile  No.  8 
will  fail. 

Obviously,  scatterbands  of  stresses  and 
strengths  must  be  separated  by  safety  margins. 
Here  the  question  arises  how  large  the  safety 
margins  should  be  to  achieve  the  required 
ultrahigh,  or  “absolute,”  degree  of  component 
reliability. 

Before  wc  may  discuss  this  vital  question, 
we  must  dwell  for  the  moment  on  the  still- 
widespread  misconception  that  reliability  may 
be  judged  on  the  basis  of  a  single  failure  test. 

Figure  4  indicates  that  safety  factors  fluc¬ 
tuate  even  more  violently  than  the  stresses  and 
strengths  upon  which  they  are  based  (compare 
Tests  No.  2  and  3).  Therefore,  relying  on  the 
tcst-(o-failurc  data  of  just  one  unit  is  short- 
l 


sighted  and  irresponsible.  This  is  illustrated  in 
Figure  5  where  the  scatterband  of  stress  data 
has 'been  replaced  by  the  maximum  stress 
level,  called  the  “Reliability  Boundary.” 
(About  Reliability  Boundary,  see  Reference 
1,  Part  V.) 
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Fig.  5.  The  Fallacy  of  foiling  Juit  On*  Unit 

If  only  one  test  were  conducted  and  relied 
upon,  and  if  the  result  complied  with  the 
specified  minimum  safety  factor  of  1.5,  as  illus¬ 
trated  by  the  black  dot,  the  component  type 
might  be  accepted  for  mass  production  and 
employment  in  complex  military  equipment. 
If,  however,  more  units  were  tested  to  failure, 
a  shocking  degree  of  variation,  hence  unre¬ 
liability,  would  be  revealed.  The  component 
type  of  Figure  5  may  ruin  not  just  missile  No.  B 
but  many  missiles,  even  a  whole  missile  project. 

3.  Measuring  Safety  Margins 

By  testing  a  sufficient  number  of  units  up  to 
failure,  we  obtain  the  characteristic  variation 
of  the  strength  data.  We  may  express  it  in  terms 
of  the  Range,  or  the  Mean  Deviation,  or  the 
Standard  Deviation: 

Which  one  of  thc-se  three  measures  of  varia¬ 
tion  is  most  suitable  here?  In  Reference  2, 
page  207,  it  is  shown  that  the  standard  devia¬ 
tion  is  far  more  efficient  than  the  range,  and 
approximately  10  percent  more  efficient  than 
the  mean  deviation.  Ten  per  cent  of  a  com¬ 
prehensive  test-to-failure  program  that  may 
cost  millions  of  dollars,  would  represent  a  sub¬ 
stantial  saving  of  money  and  time.  Compared 
to  this,  the  small  extra  effort  required  for 
computing  the  sample  standard  deviation  is 


entirely  negligible.  It  is  therefore  recommended 
that  the  standard  deviation  be  used  here. 

Using  the  standard  deviation  as  a  yardstick 
of  variability  has  a  great  advantage  in  that  it 
permits  the  reliability  engineer  to  lie  in  quality 
control  with  reliability  control.  We  shall  re¬ 
turn  to  this  problem  in  Section  6. 

It  has-been  argued  that  the  standard  devia¬ 
tion,  being  an  accurate  statistical  tool,  must 
not  be  employed  as  a  measure  of  inaccurate 
safety  margins.  This  argument  is  based  on  the 
erroneous  assumption  that  the  goal  of  relia¬ 
bility  efforts  is  the  accurate  measurement  of  re¬ 
liability,  whereas  in  fact  it  is  the  achievement 
of  reliability.  For  the  components  of  complex 
military  equipment  this  reliability  must  be  so 
high  that  it  cannot  be  measured  anyway.* 
But  it  may  be  expressed  indirectly  by  the 
number  of  standard  deviations  available  be¬ 
tween  average  strength  and  maximum  stress. 
True,  safety  margins  are  inherently  inaccurate, 
but  this  is  no  reason  to  deny  the  reliability 
engineer  a  mathematical  tool,  accurate  or  In¬ 
accurate,  if  it  serves  his  purpose. 

4.  How  to  Judge  and  Incroaie 
Safety  Margin* 

The  principle  of  safety  margins  is  illustrated 
by  the  examples  shown  in  Figures  6  through  10. 

Let  us  assume  that  between  the  average 
strength  and  the  Reliability  Boundary  a  mini¬ 
mum  safety  margin  of  five  standard  deviations 
were  specified.  After  having  tested  a  sample, 
say  12  units,  to  failure  wc  compute  the  stand¬ 
ard  deviation  and  find  that  the  safety  margin 
is  only  2.7  standard  deviations  (Figure  6). 
Thus,  the  safety  margin  must  be  increased. 
We  may  first  try  to  lower  the  severity  of  the 
environmental  condition,  for  example  by  pro- 

*  As  h  rule  of  thumb,  the  sample  size  must  be  10  times 
as  targe  as  indicated  by  the  permissible  reciprocate  failure 
rate  if  we  waul  to  prove,  with  a  confidence  of  90  per  rent, 
that  the  real  probability  of  failure  lies  between  0.5q  and 
1-5(1  (where  q  is  the  measured  failure  rate).  For  example, 
if  we  want  to  prove  that  not  more  than  one  unit  out  of  a 
hundred  will  fail,  we  must  test  a  thousand  units.  If  we  want 
to  prove  that  not  more  than  one  unit  out  of  a  hundred 
thousand  will  fail- -this  may  be  required  for  the  components 
of  complex  guided  missiles  we  must  lest  a  million  units  of 
each  type  oF component!  (See  “Testing  to  Specified  Limit*: 
Versus  Testing  to  Failuie."  by  this  author.) 
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viding  a  shock  absorber  or  by  intensifying  the 
cooling  of  the  component.  We  may  also  select 
a  stronger  type  of  component.  If  neither  is 
practical,  the  component  must  be  redesigned. 
In  most  instances,  this  is  easy  because  the 
failure  tests  will  have  revealed  the  prevailing 
modes,  or  mechanics,  of  failures.  Either  the 
average  strength  may  be  increased,  as  shown 
in  Figure  7,  or  the  inherent  variation  reduced, 
as  in  Figure  8,  whichever  appears  most  suit¬ 
able  to  save  weight,  time,  or  expense. 

Redesign  may  result  in  an  increase  of  the 
average  strength,  or  in  a  decrease  of  variation, 
or  both.  In  the  latter  case,  the  safety  margin 
may  soar  up  to  10  standard  deviations,  as 
shown  in  Figure  10,  twice  as  many  as  specified, 
and  almost  four  times  as  many  as  attained 
initially —  a  great  achievement!  -  - 

Whenever  saving  of  weight  is  not  a  para¬ 
mount  issue,  large  safety  margins  are  highly 
welcome  contributions  to  the  overall  reliability. 
Therefore,  in  specifying  safety  margins  we 
should  be  generous.  We  should  use  a  shovel 
rather  than  a  scalpel;  Ten  standard  deviations 
are  preferable  to  five,  and  20  preferable  to  10. 

Components  having  very  large  safety  mar¬ 
gins  may  be  considered  “absolutely"  reliable. 
They  may  be  placed  in  the  “  ‘good’  basket,” 
thereby  freeing  us  to  concentrate  on  those 
component  types  which  still  suffer  from  low 
safety  margins. 

When  saving  of  weight  is  of  prime  impor¬ 
tance,  as  in  the  design  of  structural  compo¬ 
nents,  the  concept  of  safety  marg  os  permits 
saving  weight  by  keeping  the  safetv  margin 
down  to  the  specified  minimum  of,  -i;  five 
standard  deviations.  (Compare  Figure  9  to 
Figure  h.j  In  the  design  of  simple  structural 
parts  having  very  smail  inherent  variations 
of  strength,  such  as  machined  pins,  the  de¬ 
signer  may  reduce  dimensions  and  weight  to 
a  bare  minimum  if  he  can  prove,  through 
tests  to  failure,  that  the  specified  minimum 
safety  margin  of,  say  five  standard  deviations, 
is  still  available. 

This  is  illustrated  in  Figure  10.  Although, 
in  this  event,  the  safety  factor  is  only  1.2,  (he 


component  may  be  accepted,  and  considerable, 
weight  may  be  saved.  It  thus  becomes  evident  that 
the  principle  of  safety  margins  not  only  helps 
to  achieve  and  control  the  required  “absolute” 
degree  of  component  reliability,  but  also  helps 
to  improve  performance  by  indicating  where 
dead  weight  may  be  saved.  Thus  the  crucial 
antagonism  between  performance,  and  reliability  may 
be  greatly  alleviated. 

5.  Strength  Testing  Versus  Life  Testing 

Many  believe  that  the  principle  of  safety 
margSv-j  is  applicable  to  strength  testing,  but 
not  to  life  testing.  Thus  a  conceptual  discrep¬ 
ancy  is  created,  resulting  in  a  great  deal  of 
unnecessary  confusion. 

Actually,  as  discussed  in  the  Introduction 
of  Reference  1,  the  terms  “stresses”  and 
“strengths”  are  not  restricted  to  mechanical 
forces;  they  rnay  be  applied  to  life  as  well. 
Strength  of  life  is  indicated  by  a  scatterband  of 
life  test  data,  whereas  stress  of  life  is  indicated 
by  the  specified  replacement  age. 

This  is  illustrated  by  the  characteristic  wear- 
out  frequency  distribution,  Figure_ll,  To  _ 
assure  that  a  piece  of  equipment  will  not 
fail  from  wear-out,  its  components  must  be  re¬ 
placed  preventively,  that  is,  before  the  wear-out 
distribution  hump  is  reached.  To  this  end,  a 
minimum  safety  margin. between.the  average  .. 
life  and  the  replacement  age  must  be  specified, 
as  shown  in  Figure  1 1 .  Again,  this  safety  mar¬ 
gin  may  best  be  expressed  in  standard  devia¬ 
tions.  The  reader  will  notice  that  the  specified 
replacement  age  constitutes  the  Reliability 
Boundary. 
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Life  safety  margins  may  be  inc>  eased  by 
simply  lowering  the  specified  replacement  age. 
This  is  generally  easier  than  lowering  the 
severity  of  an  environmental  stress  condition. 
However,  it  will  increase  cost  of  maintenance. 

As  in  strength  testing,  the  sample  sizes  re¬ 
quired  in  life  testing  need  not  be  large.  Twenty, 
ten,  or  even  fewer  units  may  occasionally 
suffice  to  obtain  a  rough  picture  of  the  aver¬ 
age  life,  and  the  variation  of  life. 

Small  sample  sizes  such  as  these  bring  about 
a  great  deal  of  statistical  uncertainty.  There¬ 
fore,  generous  sample  sizes  should  be  employed 
whenever  low  cost  per  unit  permits  it. 

Much  more  problematic  than  the  risk  caused 
by  small  sample  sizes  is  the  strong  (4th  to  7th 
power)  dependence  of  wear-out  life,  hence  re¬ 
liability,  on  the  severity  of  environmental 
conditions.  Unqualified  life-test  data  must 
therefore  be  viewed  with  skepticism,  and  gen¬ 
erous  safety  margins  must  be  applied  to  com¬ 
pensate  for  the  risk  caused  by  the  uncertainty 
of  conditions.  - 

This  will  be  discussed  further  in  the  next 
section.  But  it  may  be  stated  right  here  that 
this  risk  may  be  greatly  reduced  by  conduct¬ 
ing  life  tests  under  conditions  which  are  un¬ 
doubtedly  more  severe  than  those  expected  in 
service. 

6.  How  Many  Standard  Deviations? 

The  question  arises:  How  many  standard 
deviations  shall  be  specified?  Actually,  there 
is  no  fixed  number  to  be  specified  for  all  types 
of  components,  relative  to  all  environmental 
conditions  and  design  criteria  for  the  follow¬ 
ing  reason:  To  assure  that' a  component  type 
will  never  cause  the  loss  of  complex  military 
equipment,  every  conceivable  risk  factor,  such 
as  uncertainties  of  measurements,  skills,  and 
of  war  conditions,  must  be  covered  by  a  safety 
margin  of  its  own.  Figure  12  contains  a  tenta¬ 
tive  list  of  factors  which  must  be  considered 
in  specifying  safety  margins  that  are  really 
adequate. 

The  total  contingency  margin,  Kc,  may  now 
be  computed  by  simply  adding  up  the  vari- 


F ACTORS  INFLUENCING  SpacISxl 

CHOICE  OF  ConHngawy  Margin 

SAFETY  MARGINS  (Standard  Davlatfcn*) 

1.  Uncertainty  in  Determining  Service 

Conditions  1 

2.  Uncertainty  in  Predicting  Design 

Parameters  2 

3.  Uncertainty  of  Test  Methods  1 

4:  Uncertainty  of  Statistical  Evaluations  1 

5.  Uncertainty  in  Judging  Reliability  Skills 

of  Subcontractors  and  Vendors  2 

6.  Uncertainty  in  Judging  Reliability  Skills 

of  Maintenance  People  .  '.  2 

7.  Risk  of  Two-Front  System 

(See  Reference  1,  Part  III)  \  3 

8.  Employment.in  Low-risk  Equipment  \  0 

9.  Employment  in  High-risk  Equipment  3, 

I  10.  Employment  in  Ultrahigh-risk  Equipm.  1()\ 

: '1 1.  Non-destructive  Testing  Impractical  2  \ 

. 12.  Redundant  Usage  Impractical  1 

!  13.  Saving  of  Weight  Not  an  Isa,  .  2 

Fig.  12.  Suggested  Lilt  of  Contlng*ncla>  and 
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bus  contingency- margins.  However,  since  not 
all  of  the  contingencies  will  occur  at  the  same 
time,  or  durihg  the  same  firing,  it  suffices  to 
take  the  square  root  of  the  sum  of  the  squares, 
for  example: 

K.c  =  \/la  +  2a  +  la  +  la  +  2a  +  2“  +  3“ 

5*  +  V  +  F  +  2“ 

is  y'SS  =3  7.6  ss  8  standard  deviations 

The  basic  principle  of  the  total  contingency 
margin,  Kc,  is  that  it  be  kept  strictly  in  reserve 
just  in  case  that  any  of  the  contingencies,  or 
any  combination  of  them,  might  occur  in 
service.  Therefore,  to  allow  for  the  inherent, 
or  “legitimate,”  variation  of  strength,  an  addi¬ 
tional  scailermarg/n,  of  say  three  standard 
deviations  must  be  specified,  as  illustrated  in 
Figure  13.  (See  Reference  1,  Part  I.) 

Specifying  and  attaining  the  minimum  con¬ 
tingency  margin  is  the  responsibility  of  the  re¬ 
liability  engineer.  He  will  have  to  keep  all  lists 
of  contingencies  and  contingency  margins  on 
file  so  that  he  may  check  them  in  order  to 
ascertain  whether  or  not  a  failure  was  caused 
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Fig.  13.  Contingency  Margin  and  Scatter  Margin 


by  an  inadequate  specification.  He  may  have 
to  make  an  original  specification  more  strin¬ 
gent  if,  for  example,  the  reliability  skill  of  a 
vendor,  or  of  a  maintenance  crew  is  lower  than 
he  had  anticipated.  He  may  have  to  make  a 
specification  less  stringent  if,  for  example,  a 
component  turns  out  to  be  much  heavier  than 
expected,  or  if  the  cost  of  achieving-andmain- 
tairiing  a  specified  safety  margin  turns  out  to 
be  excessive. 

Once  a  satisfactory  degree  of  design  relia¬ 
bility  is  established,  and  proved  to  exist  by 
tests  to  failure,  the  quality  control  engineer 
will  take  over.  He  has  the  responsibility  of 
assuring,  by  approved  methods  of  statistical 
quality  control,  that  during  the  manufactur¬ 
ing  process  neither  the  average  strength  de¬ 
creases  nor  the  standard  deviation  increases. 
He  must  prove  this  continuously  by  testing  to 
failure  small  but  adequate  production  samples 
wjth  regard  to  those  environmental  conditions 
which,  during  the  prototype  tests,  have  shown 
the  need  of  permanent  control.  In  this  manner, 
the  quality  control  engineer  may  maintain, 
and  even  increase,  the  safety  margins  estab¬ 
lished  in  the  prototype  stage. 

Compared  to  the  old-fashioned  method  of 
specifying  fixed  safety  factors,  the  procedure 
of  safety  margins  described  here  might  appear 
unnecessarily  elaborate.  It  is  not.  When  a  com¬ 
ponent  may  cause  the  total  loss  of  a  million- 
dollar  missile  or  aircraft,  or  trie  loss  of  lives,  it 


is  the  first  duty  of  the  reliability  engineer  to 
carefully  consider  every  conceivable  contin¬ 
gency  and  to  cover  it  by  a  generous  safety 
margin  of  its  own. 

7.  Overdesign  and  Reliability 

It  is  often  argued  that  generous  safety  mar¬ 
gins  unavoidably  lead  to  overdesign,  that  is,  to 
excessive  weight,  reduced  performance,  high 
cost,  and  delayed  schedules.  Is  this  true? 

There  is  the  performance  fanatic  who,  by 
sacrificing  reliability,  economy  and  schedules, 
tries  to  squeeze  out  of  his  design  the  last  mile 
per  second,  and  the  last  foot  of  ceiling.  There 
is  the  unresourceful,  apprehensive  designer 
who  clings  to  his  design,  unable  to  finish  and 
release  it  for  production.  In  either  case,  warn¬ 
ings  against  overdesign  are  well  justified. 

But  there  is  also  the  hasty,  superficial  de¬ 
signer  who,  pretending  to  fight  against  overdesign , 
tries  to  push  a  new  design  into  production,  be 
it  mature  or  immature,  light  or  heavy,  inex¬ 
pensive  or  expensive,  reliable  or  unreliable. 

Significantly,  advocates  of  haste  and  super¬ 
ficiality  are  the  ones  who  assert  that  reliability 
may  be  improved  later,  during  production  and 
service  use,  by  quality  control  and  failure  re¬ 
porting.  Since  this  is  impossible,  they  just  bring 
about  the  very  consequences  of  overdesign  they 
pretend  to  battle,  namely  excessive  weight,  re¬ 
duced  performance,  high  cost  and— as  a  result 
of  necessary  design  changes — badly  delayed 
schedules.  Worst  of  all,  they  bring  about  poor 
reliability.  This  is  why  reliability  engineers 
must  take  issue. 

While  warnings  against  overdesign  are  often¬ 
times  justified,  they  must  never  be  misconstrued 
as  an  invitation  to  neglect  the  principl  •  of  safety 
margins.  Whenever  this  is  the  case,  the  Re¬ 
liability  Coordinator  must  take  immediate 
action,  educational  or  otherwise,  before  a  low' 
reliability  barrier  becomes  chronic  and  in¬ 
curable. 

8.  Statistical  Accuracy  and  R&liability 

Since  component  reliability  is  primarily  a 
function  of  the  design  safely  margin,  and  since 
wc  must  strive  for  absolute  component  rclia- 
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bility,  the  emphasis  must  be  on  generous.  In 
specifying  safety  margins  it  would  be  unwise 
to  be  niggardly,  particularly  in  the  innumer¬ 
able  cases  where  large  safety  margins  may  be 
attained  easily  without  adding  weight,  cost, 
and  time.  As  stated  before,  10  standard  devia¬ 
tions  are  better  for  reliability  than  five,  and 
20  are  better  than  10.  Generosity  in  specifying 
safety  margins  is  therefore  the  hallmark  of  the  experi¬ 
enced  reliability-conscious  engineer  (compare  List  of 
Safety  Factors,  Figure  2). 

Statisticians  may  argue  that  generous  safety 
margins  and  statistical  accuracy  are  not  com- 
.  patible.  This  is  true.  The  purely  statistical 
approach,  whereby  the  “area  under  the  tail” 
of  a  failure  frequency  distribution  is  accu¬ 
rately  translated  into  probabilities  of  failure, 
or  indices  of  reliability,  will  result  in  an  overly 
optimistic  judgment  of  reliability,  hence  in 
disaster.  Looking  at  the  list  of  risk  factors, 
Figure  12,  the  reader  will  note  that  uncertainty 
of  statistical  evaluation  is  one  of  many  contin¬ 
gencies,  but  by  no  means  the  most  hazardous  one. 
This  proves  that,  in  matters  of  reliability,  striv¬ 
ing  for  statistical  accuracy  is  futile,  it  is 
even  dangerous  because  it  may  divert  at¬ 
tention  from  the  many  other  risk  factors 
which,  if  not  taken  care  of  by  generous  con¬ 
tingency  margins,  may  kill  many  more  missiles 
thcjjn  the  hazard  generated  by  the  uncertainty 
of  jjtatistical  evaluation. 

3 

9.  Who  Shall  Writ*  Reliability 

Specifications? 

Which  agency  shall  conceive  and  specify 
the  size  of  the  safety  margins?  Is  it  the  prime 
contractor,  or  the  contracting  agency,  or  who? 

As  just  discussed,  the  proper  designation  of 
safety  margins  must  be  based  on  a  wide  variety 
of  engineering  considerations.  These,  however, 
arc  known  only  to  those  who  are  thoroughly 
familiar  with  the  details  of  the  design  of  a 
component  type,  or  an  equipment,  that  is  the 
designers,  lest  engineers,  and  production  en¬ 
gineers. 

Unfortunately,  we  cannot  expect  that  thou¬ 
sands  of  design  specialists  are  equally  and  suf¬ 


ficiently  conscious  of  the  serious  reliability 
problem  of  guided  missiles  and  their  compo¬ 
nents,  arising  as  a  result  of  the  long  chain  of 
automatic  devices.  True,  many  might  be 
genuinely  reliability-minded,  yet  experience 
shows  that  the  majority  are  not  eager  to  fight 
for  the  cause  of  reliability.  (Injustice  to  them 
it  should  be  said  that  oftentimes  funds  are  not 
available  to  pursue  the  cause  of  reliability.) 
However,  since  any  single  designer,  as  a  link 
in  the  reliability  chain,  may  ruin  a  whole  mis¬ 
sile  type,  it  should  not  be  his  prerogative  to 
choose  the  minimum  safety  margins  according 
to  personal  taste,  Designating,  specifying,  and 
controlling  safety  margins  should  be  the  task 
of  the  assigned  reliability  organization  of  the 
prime  R&D  contractor.  Such  an  organization 
should  consist  of  highly  skilled,  highly  relia¬ 
bility-minded  design  specialists  in  the  various 
fields  of  technology,'  such  as- electronics,  aero¬ 
dynamics,  hydraulics,  servo-mechanisms,  guid¬ 
ance  systems,  stress  analysis,  propulsion,  war¬ 
heads,  inspection  and  quality  control,  logistics, 
and  operational  analysis.* 

It  thus  becomes  clear  that  the  responsibility 
fur  writing  of,  and  complying  with,  reliability 
specifications  must  be  placed  squarely  on  the 
shoulders  of  the  R&D  prime  contractor. 

10.  Th»  ftola  of  Contracting  Agondot. 

But  this  does  not  Imply  that  contracting 
agencies  shall  have  no  responsibility  in  writing 
reliability  specifications.  True,  such  an  agency 
must  place  a  great  deal  of  reliance  on  the  in¬ 
tegrity  and  reliability -mindedr.css  of  a  prime 
contractor.  However,  since  contracting  agen¬ 
cies  arc  immediately  responsible  to  the  Armed 
Forces  and  the  taxpayer,  they  must  not  exempt 
themselves  from  establishing  and  controlling 
reliability  policies.  Rather,  they  must  write  a 
Reliability  Code,  specifying  at  least  minimum 

*In  order  to  obtain  competent  reliability  engineers  it  will 
be  necessary  to  pay  them  salaries  commensurate  with  the 
enormous  difficulty  and  responsibility  of  (heir  task,  and  to 
place,  them  high  in  the  organization.  (For  further  discussion 
of  the  organization  and  tasks  of  a  reliability  coordination 
group  see  Reference  5,  pages  59-44  and  Rrfrrrnro  (>. 
Section  K.) 


^SS^SivSIilPtltTKta _ ,  . 


safety  margins  which  the  contractor  must 
prove  to  exist. 

This  is  nothing  new.  Wherever  large  ma¬ 
terial  values  and  human  lives  are  at  stake,  as 
in  the  design  of  buildings,  elevators,  and  piloted 
aircraft,  contracting  agencies  are,  as  a  matter 
of  course,  forceful  in  conceiving,  specifying  and 
controlling  generous  safety  factors.  No  con¬ 
tractor  would  dare  ignore  them  and  no  con¬ 
tracting  agency  would  accept  a  product  which 
does  not  comply. 

In  Part  IV  an  attempt  is  made  to  write  a 
Reliability  Code  for  guided  missiles. 

PART  IV 

RELIABILITY  CODE  FOR  GUIDED  MISSILES 

1 .  i  General 

Since  guided  missiles  are  fully  automatic, 
and  non-recoverable,  the  failure^  of  any  one 
component  will  result  in  the  failure  of  the 
entire  missile.  In  order  to  achieve  an  accept¬ 
able  overall  reliability,  missile  components 
must  be  made  much  more  reliable  than  usual. 
Two  or  three  times  better  than  the  commer¬ 
cial  product  is  not  nearly  enough;  they  must 
be  made  perhaps  a  thousand  times  more  reli¬ 
able,  or  better,  “absolutely”  reliable. 

To  approach  this  goal,  the  following  para¬ 
graphs  are  specified: 

1.1.1  Determining  Overall  Reliability 

The  overall  reliability  of  the  missile  system 
shall  be . . .  per  cent.  To  prove  this,  not  less 
than  . . .  missiles  shall  be  fired  at  range  of. , . 
miles,  under  proving  ground  conditions,  within 
the  Ordnance  Engineering-User  Test  Pro¬ 
gram.  (Numerical  values  shall  be  specified  de¬ 
pending  upon  the  military  characteristics  of  a 
missile;  upon  the  cost  per  test  firing,  including 
all  operational  expenses;  and  upon  the  total 
number  of  missiles  produced.) 

1.1.2  Homogeneity  of  tost  Samples 

In  determining  the  overall  reliability  of  mis¬ 
siles,  the  contractor  shall  not  be  required  to 
keep  the  sample  homogeneous,  just  for  the 


sake  of  statistical  accuracy.  Rather,  he  shall  try 
to  increase  the  reliability  of  the  remaining  mis¬ 
siles  as  much  as  possible  by  promptly  redesign¬ 
ing  or  remanufacturing  all  types  of  components 
which,  during  the  preceding  test  firings,  have 
proved  inadequate.  Increasing  reliability  shall 
have  priority  over  measuring  reliability. 

1.1.3  Surveillance  of  Reliability 

The  growth  of  reliability  of  the  missile  and 
its  components  shall  be  accelerated  and  con¬ 
trolled  thoroughly  and  systematically  by  an 
organization  of  highly  qualified  reliability 
engineers. 

1.1.4  Missile  Breakdown 

The  missile  system  shall  be  broken  down 
into  its  packaged  units,  subassemblies,  com¬ 
ponents,  and  parts.  The  original  breakdown 
lists,  and  subsequent  revisions,  shall  be  pre¬ 
sented  to  the  contracting  agency  for  approval. 

1.1.5  Definitions 

a.  System:  A  group  of  equipments  integrated 
to  perform  a  function.  (Example:  A  weapon 
consisting  of  a  missile,  and  all  ground  or  air¬ 
craft  equipment  necessary  to  operate  it.) 

b.  Equipment:  A  combination  of  assemblies 
which  is  capable  of  operation  by  itself.  (Ex¬ 
ample:  A  guided  missile,  including  all  pack¬ 
aged  units  wi'thin  the  missile.) 

c.  Assembly:  A  group  of  subassemblies,  com¬ 
bined  and  packaged  in  one  housing.  (Exam¬ 
ples:  An  antenna  tuner,  radio  transmitter,  the 
nose  cone  of  a  missile.) 

d.  Subassembly:  A  commonly  mounted  group 
of  components  which  may  be  subject  to  dis¬ 
assembly,  but  which  is  not  capable  of  opera¬ 
tion  by  itself.  (Examples:  An  i.  f.  strip,  a 
terminal  board  with  components  attached.) 

e.  Component:  An  item  not  normally  subject 
to  further  disassembly.  (Examples:  Resistors, 
capacitors,  tubes,  potted  or  molded  items.) 

f.  Element:  A  part  of  a  component  that  can¬ 
not  be  removed  without  destroying  the  com¬ 
ponent.  (Examples:  A  filament  of  an  electron 
tube,  a  contact  of  a  relay.) 
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Electronic  components  contribute  most  to 
the  unreliability  of  guided  missiles  because 
they  are  complex  in  themselves;  because  they 
are  rarely  developed  for  the  exceedingly  severe 
conditions  and  requirements  in  guided  missiles; 
and  because  they  usually  occur  in  missiles  in 
very  large  numbers.  Electronic  equipment  shall 
therefore  be  broken  down  and  controlled  wiiii 
particular  care. 

1.1.6  Environmental  Slresm 

Existing  general  specifications  of  environ¬ 
mental  conditions  shall  be  applied  only  if  their 
validity  for  the  specific  missile  has  been  proven 
by  testing  a  sufficient  number  of  units,  (See 
also  1.1.13, 1.1.16,  and  1.1.17.) 

1.1.7  Fixed  Environmental  Condition*  shall 
be  determined  and  specified  by  military  re¬ 
quirements  such  as  climatic  conditions,  or 
required  storage  age.  These  are,  therefore, 
identical  with  the  Reliability  Boundary.  (For 
discussion  of  Reliability  Boundary,  see  I .  I  .ft, 
and  Ref.  1,  pages  36-43.) 

1.1.8  Self-Induced  Environmental  Condi¬ 
tions  shall  be  determined  by  the  prime  contrac¬ 
tor,  through  calculations,  laboratory  tests,  and 
flight  tests.  To  this  group  belong  ai'l  self-gen¬ 
erated  stresses,  such  as  shocks,  vibrations,  ac¬ 
celerations,  and  temperatures.  The  average 
value  of  these  stresses,  as  well  as  their  char¬ 
acteristic  variation,  shall  be  determined  by 
testing  sufficient  numbers  of  units.  The  varia¬ 
tion  shall  be  expressed  by  the  sample  standard 
deviation.  (About  standard  deviation,  see 
Fig.  14.) 

1.1.9  Determination  of  th w  Reliability 
Boundary 

A  numerical  stress  level  shall  be  established 
for  all  environmental  conditions,  such  as  shock, 
vibration,  temperature,  corrosive  conditions; 
for  all  other  critical  design  requirements  such 
as  frequencies,  voltages,  pressures,  sensitivities, 
sclectivities,  elasticities,  alignments,  adjust¬ 
ments,  mechanical  and  electrical  tolerances; 
and  for  ail  maximum  supply  requirements, 
such  as  electronic,  hydraulic,  or  pneumatic 


power  supplies.  This  stress  level  shall  be  used 
as  the  basis  for  the  selection  or  development 
of  components  that  must  be  capable  of  operat¬ 
ing  under  these  conditions  with  absolute  re¬ 
liability.  This  stress  level  is  called  the  “Relia¬ 
bility  Boundary.”  It  shall  be  determined  by 
adding  a  safety  margin  of  six  (6)  standard 
deviations  to  the  average  value  of  the  measvired 
environmental  stress  condition,  or  design  re¬ 
quirements,  as  shown  in  Figure  14. 
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1.1.10  Ettimate  of  Environment 

Whenever  a  stress  or  design  requirement 
has  not  yet  been  measured,  a  generously  esti¬ 
mated  value  shall  be  established  and  used. 

1.1. 11  Determination  of  the  Strength 
of  Components 

The  strength  of  any  type  of  component) 
relative  to  any  environmental  condition,  or  to 
any  vital  design  requirement,  shall  be  proved 
by  testing  to  failure  a  sufficient  number  of 
units.  (See  also  1. 1.14.) 
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1.1.12  Proof  of  Safety  Margin 

The  contractor  shall  prove  that  a  safety 
margin  of  at  least  five  (5)  standard  deviations 
is  available  between  the  average  strength  and 
the  Reliability  Boundary,  (See  Fig.  15.) 

1.1.13  Accelerating  Test-to-Failvre 
Program* 

Immediately  after  the  preliminary  design 
lias  been  started,  and  the  first  component  types 
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tentatively  selected,  a  vigorous  test-to-fallure 
—  program  shall  be  started,  and  conducted  with 
highest  priority.  Even  where  the  severity  of  a 
/  condition  or  a  design  requirement  is  known 
only  vaguely,  or  not  at  all,  the  contractor  shall 
start  failure,  testing  of  those,  types  of  compo¬ 
nents  that  may  suffer  from  that  condition. 
Gncc  i  he  condition  and  the  Keliability  Bound¬ 
ary  are  determined  numerically/  it  can  and 
shall  be  decided  without  delay  whether  or  not 
the  component  type  previously  tested  to  failure 
is  acceptable -for  use  in  the  missile. 

1.1.14  Sampling  for  Failure  Teits 

The  number  of  units  required  for  the  indi¬ 
vidual  test  to-failure  programs  may  be  small 
or  large,  as  the  case  may  be.  The  sample  size 
shall  be  determined  depending  on  these  factors: 
the  degree  of  maturity  already  achieved;  the 
cost  of  the  component;  the  cost  and  duration 
of  one  test;  the  number  of  units  employed  per 
missile;  the  complexity  of  the  component;  the 
complexity  of  the  missile;  and  the  importance 
of  the  missile  to  the  national  defense. 

1. 1.15  Khk  factor t  for  Small  Sample  Size* 

The  risk  of  accepting  an  unreliable  compo¬ 
nent  type  increases  as  the  sample  size  decreases. 
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To  compensate  for  this  risk,  and  to  stimulate  the 
testing  of  generous  sample  sizes,  the  sample  stand¬ 
ard  deviation  shall  be  enlarged  by  a  risk 
factor  obtained  from  Figure  16. 

(For  further  discussion  of  sample  risk  factors, 
see  Reference  1,  pages  22-26.) 


Fig.  16.  Rkk  Factors  Compensating  for 
Small  Sample  Size* 

The  enlarged  standard  deviation  thus  ob¬ 
tained  shall  be  used  to  determine  the  safety 
margin,  that  is,  the  number  of  enlarged  stand¬ 
ard  deviations  available  between  the  average 
strength  and  the  Reliability  Boundary.  This 
is  illustrated  by  the  example  in  Figure  15. 

1.1.16  The  Relationship  Between  Scatter- 
bands  of  Stresses  and  Strengths  is  illustrated 
in  Figure  17.  Because  an  error  in  determining 
a  stress  scatterband  may  ruin  many  component 
types,  whereas  an  error  in  determining  the 
strength  endangers  only  one  component  type, 
the  raiaimiJ xn..sir.ess.  safety  .  margin  shall  be 
specified  more  generously  (6s,  for  example) 
than  the  strength  safety  margin  (5s,  for  ex¬ 
ample). 

1.J.17  Safety  Factors 

Whenever  the  first  test-to-failure  of  a  com¬ 
ponent  type  proves  that  it  is  at  least  four  (4) 
times  stronger  than  the  Reliability  Boundary, 
no  further  units  n  -cd  to  be  tested.  A  safety 
factor  o(  four  (4)  may,  in  most  instances,  be 
considered  as  p.-  oof  that,  with  regard  to  that 
particular  cor.di  ion,  a  high  degree  of  reliability 
is  already  a  Lained.  If  the  contractor  feels. 
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however,  that  more  units  should  be  tested  to 
failure  to  clarify  the  mechanics  of  failure,  he 
may  do  so. 


1.1.18  Relationship  Between  Safety 
Margins  and  Safety  Factors 

A  safety  factor  of  four  (4)  is  not  a  minimum 
requirement.  It  is  intended  to  relieve  the  work¬ 
load,  cost,  and  schedule  of  a  test-to-failure 
program  whenever  the  first  unit  tested  turns 
out  to  be  at  least  four  times  stronger  than  the 
Reliability  Boundary.  In  cases  of  simple,  easily 
controllable  components,  showing/safety  fac¬ 
tors  of  four  and  more,  the  reliability  engineer 
may  consider  the  component  highly  reliable 
in  that  particular  respect,  and  discontinue  ffie 
tests,  at  least  for  the  time  being.  If,  however, 
the  strength  of  the  first  unit  turns  out  to  be 
less  than  four  times  the  Reliability  Boundary, 
particularly  if  the  component  is  complicated 
and  difficult  to  control,  the  contractor  shall 
test  more  units  and  prove  that  a  safety  margin 
of  at  least  five  (5)  standard  deviations  is 
available. 

This  relationship  between  the  concept  of 
safety  factors  and  that  of  safety  margins  is 
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illustrated  by  the  two  examples  of  component 
types  in  Figure  18. 

x 

OF  MAX.  STRESS 
REL.  BOUNDARY 


Fig.  1 8.  Safety  Factor  Versus  Safety  Margin 


In  the  case  of  component  type  A,  where  the 
first  and  only  test  proved  a  safety  factor  of 
four,  no  further  units  need  be  tested.  In  the 
case  of  component  type  B,  where  the  first  unit 
tested  indicates  a  safety  factor  of  only  2.7,  the 
concept  of  safety  margins  must  be  employed. 
After  having  tested  a  total  of  five  units,  and 
having  enlarged  the  sample  standard  devia¬ 
tion  by  the  risk  factor  of  1.5  obtained  from 
Figure  15,  we  may  prove  a  safety  margin  of 
4.2  standard  deviations,  which  is  not  enough. 
We  must  test  a  few  additional  units,  say  five. 
This  time,  for  a  total  of  10  test  data,  the 
sample  standard  deviation  must  be  multiplied 
by  a  risk  factor  of  only  1.27.  Now  the  safety 
margin  is  5.5  standard  deviations  and  the 
component  type  may  be  accepted,  as  far  as 
this  particular  condition  or  design  critenum 
is  concerned. 

1.1.19  Frequently  Occurring  Farts 

The  safety  margins  and  safety  factors  spec¬ 
ified  in  the  preceding  paragraphs  shall  be  ap¬ 
plied  and  proved  for  component  types  that 
occur  only  once  per  missile.  Since  component 
types  that  occur  more  frequently  constitute 
a  proportionately  greater  hazard  to  the  mis¬ 


sile,  the  safety  margins  and  factors  shall  be 
increased  according  to  Figure  19. 


5  10  100  -  1,000  10,000 

UNITS  PER  MISSILE 


Kg.  19.  Minimum  Safety  Factors  and  Safety  Margins 

for  Various  Numbers  of  Units  Employed  per  Missile 

1.1.20  Maintaining  Reliability  in 
Manjfacture 

After  the  required  “absolute’’  level  of  design 
reliability  has  been  achieved  for  a  type  of 
component,  it  shall  be  maintained  in  manu¬ 
facture  by  statistical  quality  control,  and 
proved  by  repeating,  as  often  as  necessary,  the 
essential  failure  tests  on  a  sampling  basis. 
However,  the  compromise  between  reliability 
and  cost  of  reliability  shall  not  be  based  on 
economic  interests  of  the  contractor  or  vendor, 
as  in  the  commercial  field,  but  rather  on  the 
military  and  economic  needs  of  the  Armed 
Forces.  These  needs  are  indicated  by  the  fact 
that  the  failure  of  a  10-cent  component  may 
cause  the  total  loss  of  a  million-dollar  missile. 

1.1.21  Waivers 

The  safety  margins  specified  in  this  code  are 
minimum  requirements.  They  must  at¬ 
tained  and  proved  to  exist  before  a  missile 
type  can  be  accepted  for  production.  In  the 
case  of  prototype  missiles,  fired  for  test  pur¬ 
poses  only,  the  contracting  agency  may  permit 
employment  of  nonconforming  components, 
provided  that  the  contractor  can  prove  that 
they  will  not  contribute  any  risk  to  the  test 
missile  involved.  For  very  complex  and  ex¬ 
pensive  missiles,  this  proofis  absolutely  required. 
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CONCLUSIONS 


1.  Since  ordinary  specif 

inadequate  to  achieve  the 
component  reliability  requ 
nents  of  guided  missiles,  th 
mented  by  a  special  Reliabifl 
generous  safety  margins  bdj 
strengths.  1 

2.  Numerically  defined  j 
margins  will  be  a  strong  inc? 
ing  comprehensive  reliabilit' 

3.  Top  management,  de 
neers,  and  manufacturers,  k 
is  a  hurdle  to  overcome,  may 
reliability-minded  and  may 
implementation  of  a  compre 
program  of  guided  missile: 
ponents. 

4.  Designers  and  test  engii 
pelled  to  determine  the  actu 
conditions,  rather  than  to 
specifications  which  may  be  e 

5.  Designers  and  test  engit 
pelled  to  test  their  compoi 
failure,  in  sufficient  number 
termine  the  characteristic  vat 
values,  the  modes  of  faiiur€ 
margins  attained. 


